![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to cmd_connection.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / charon-cmd / cmd|
Return to cmd_connection.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / charon-cmd / cmd |
1.1 misho 1: /*
2: * Copyright (C) 2013 Tobias Brunner
3: * HSR Hochschule fuer Technik Rapperswil
4: *
5: * Copyright (C) 2013 Martin Willi
6: * Copyright (C) 2013 revosec AG
7: *
8: * This program is free software; you can redistribute it and/or modify it
9: * under the terms of the GNU General Public License as published by the
10: * Free Software Foundation; either version 2 of the License, or (at your
11: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12: *
13: * This program is distributed in the hope that it will be useful, but
14: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16: * for more details.
17: */
18:
19: #include "cmd_connection.h"
20:
21: #include <signal.h>
22: #include <unistd.h>
23:
24: #include <utils/debug.h>
25: #include <processing/jobs/callback_job.h>
26: #include <threading/thread.h>
27: #include <daemon.h>
28:
29: typedef enum profile_t profile_t;
30: typedef struct private_cmd_connection_t private_cmd_connection_t;
31:
32: /**
33: * Connection profiles we support
34: */
35: enum profile_t {
36: PROF_UNDEF,
37: PROF_V2_PUB,
38: PROF_V2_EAP,
39: PROF_V2_PUB_EAP,
40: PROF_V1_PUB,
41: PROF_V1_PUB_AM,
42: PROF_V1_XAUTH,
43: PROF_V1_XAUTH_AM,
44: PROF_V1_XAUTH_PSK,
45: PROF_V1_XAUTH_PSK_AM,
46: PROF_V1_HYBRID,
47: PROF_V1_HYBRID_AM,
48: };
49:
50: ENUM(profile_names, PROF_V2_PUB, PROF_V1_HYBRID_AM,
51: "ikev2-pub",
52: "ikev2-eap",
53: "ikev2-pub-eap",
54: "ikev1-pub",
55: "ikev1-pub-am",
56: "ikev1-xauth",
57: "ikev1-xauth-am",
58: "ikev1-xauth-psk",
59: "ikev1-xauth-psk-am",
60: "ikev1-hybrid",
61: "ikev1-hybrid-am",
62: );
63:
64: /**
65: * Private data of an cmd_connection_t object.
66: */
67: struct private_cmd_connection_t {
68:
69: /**
70: * Public cmd_connection_t interface.
71: */
72: cmd_connection_t public;
73:
74: /**
75: * Process ID to terminate on failure
76: */
77: pid_t pid;
78:
79: /**
80: * List of local traffic selectors
81: */
82: linked_list_t *local_ts;
83:
84: /**
85: * List of remote traffic selectors
86: */
87: linked_list_t *remote_ts;
88:
89: /**
90: * List of IKE proposals
91: */
92: linked_list_t *ike_proposals;
93:
94: /**
95: * List of CHILD proposals
96: */
97: linked_list_t *child_proposals;
98:
99: /**
100: * Hostname to connect to
101: */
102: char *host;
103:
104: /**
105: * Server identity, or NULL to use host
106: */
107: char *server;
108:
109: /**
110: * Local identity
111: */
112: char *identity;
113:
114: /**
115: * XAuth/EAP identity
116: */
117: char *xautheap;
118:
119: /**
120: * Is a private key configured
121: */
122: bool key_seen;
123:
124: /**
125: * Selected connection profile
126: */
127: profile_t profile;
128: };
129:
130: /**
131: * Shut down application
132: */
133: static void terminate(pid_t pid)
134: {
135: kill(pid, SIGUSR1);
136: }
137:
138: /**
139: * Create peer config with associated ike config
140: */
141: static peer_cfg_t* create_peer_cfg(private_cmd_connection_t *this)
142: {
143: ike_cfg_t *ike_cfg;
144: peer_cfg_t *peer_cfg;
145: proposal_t *proposal;
146: ike_cfg_create_t ike = {
147: .local = "0.0.0.0",
148: .remote = this->host,
149: .remote_port = IKEV2_UDP_PORT,
150: .fragmentation = FRAGMENTATION_YES,
151: };
152: peer_cfg_create_t peer = {
153: .cert_policy = CERT_SEND_IF_ASKED,
154: .unique = UNIQUE_REPLACE,
155: .keyingtries = 1,
156: .rekey_time = 36000, /* 10h */
157: .jitter_time = 600, /* 10min */
158: .over_time = 600, /* 10min */
159: .dpd = 30,
160: };
161:
162: switch (this->profile)
163: {
164: case PROF_UNDEF:
165: case PROF_V2_PUB:
166: case PROF_V2_EAP:
167: case PROF_V2_PUB_EAP:
168: ike.version = IKEV2;
169: break;
170: case PROF_V1_PUB_AM:
171: case PROF_V1_XAUTH_AM:
172: case PROF_V1_XAUTH_PSK_AM:
173: case PROF_V1_HYBRID_AM:
174: peer.aggressive = TRUE;
175: /* FALL */
176: case PROF_V1_PUB:
177: case PROF_V1_XAUTH:
178: case PROF_V1_XAUTH_PSK:
179: case PROF_V1_HYBRID:
180: ike.version = IKEV1;
181: break;
182: }
183:
184: ike.local_port = charon->socket->get_port(charon->socket, FALSE);
185: if (ike.local_port != IKEV2_UDP_PORT)
186: {
187: ike.remote_port = IKEV2_NATT_PORT;
188: }
189: ike_cfg = ike_cfg_create(&ike);
190: if (this->ike_proposals->get_count(this->ike_proposals))
191: {
192: while (this->ike_proposals->remove_first(this->ike_proposals,
193: (void**)&proposal) == SUCCESS)
194: {
195: ike_cfg->add_proposal(ike_cfg, proposal);
196: }
197: }
198: else
199: {
200: ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
201: ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
202: }
203: peer_cfg = peer_cfg_create("cmd", ike_cfg, &peer);
204:
205: return peer_cfg;
206: }
207:
208: /**
209: * Add a single auth cfg of given class to peer cfg
210: */
211: static void add_auth_cfg(private_cmd_connection_t *this, peer_cfg_t *peer_cfg,
212: bool local, auth_class_t class)
213: {
214: identification_t *id;
215: auth_cfg_t *auth;
216:
217: auth = auth_cfg_create();
218: auth->add(auth, AUTH_RULE_AUTH_CLASS, class);
219: if (local)
220: {
221: id = identification_create_from_string(this->identity);
222: if (this->xautheap)
223: {
224: switch (class)
225: {
226: case AUTH_CLASS_EAP:
227: auth->add(auth, AUTH_RULE_EAP_IDENTITY,
228: identification_create_from_string(this->xautheap));
229: break;
230: case AUTH_CLASS_XAUTH:
231: auth->add(auth, AUTH_RULE_XAUTH_IDENTITY,
232: identification_create_from_string(this->xautheap));
233: break;
234: default:
235: break;
236: }
237: }
238: }
239: else
240: {
241: if (this->server)
242: {
243: id = identification_create_from_string(this->server);
244: }
245: else
246: {
247: id = identification_create_from_string(this->host);
248: }
249: auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, TRUE);
250: }
251: auth->add(auth, AUTH_RULE_IDENTITY, id);
252: peer_cfg->add_auth_cfg(peer_cfg, auth, local);
253: }
254:
255: /**
256: * Attach authentication configs to peer config
257: */
258: static bool add_auth_cfgs(private_cmd_connection_t *this, peer_cfg_t *peer_cfg)
259: {
260: if (this->profile == PROF_UNDEF)
261: {
262: if (this->key_seen)
263: {
264: this->profile = PROF_V2_PUB;
265: }
266: else
267: {
268: this->profile = PROF_V2_EAP;
269: }
270: }
271: switch (this->profile)
272: {
273: case PROF_V2_PUB:
274: case PROF_V2_PUB_EAP:
275: case PROF_V1_PUB:
276: case PROF_V1_XAUTH:
277: case PROF_V1_PUB_AM:
278: case PROF_V1_XAUTH_AM:
279: if (!this->key_seen)
280: {
281: DBG1(DBG_CFG, "missing private key for profile %N",
282: profile_names, this->profile);
283: return FALSE;
284: }
285: break;
286: default:
287: break;
288: }
289:
290: switch (this->profile)
291: {
292: case PROF_V2_PUB:
293: add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
294: add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY);
295: break;
296: case PROF_V2_EAP:
297: add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_EAP);
298: add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY);
299: break;
300: case PROF_V2_PUB_EAP:
301: add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
302: add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_EAP);
303: add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_ANY);
304: break;
305: case PROF_V1_PUB:
306: case PROF_V1_PUB_AM:
307: add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
308: add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY);
309: break;
310: case PROF_V1_XAUTH:
311: case PROF_V1_XAUTH_AM:
312: add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PUBKEY);
313: add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH);
314: add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY);
315: break;
316: case PROF_V1_XAUTH_PSK:
317: case PROF_V1_XAUTH_PSK_AM:
318: add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_PSK);
319: add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH);
320: add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PSK);
321: break;
322: case PROF_V1_HYBRID:
323: case PROF_V1_HYBRID_AM:
324: add_auth_cfg(this, peer_cfg, TRUE, AUTH_CLASS_XAUTH);
325: add_auth_cfg(this, peer_cfg, FALSE, AUTH_CLASS_PUBKEY);
326: break;
327: default:
328: return FALSE;
329: }
330: return TRUE;
331: }
332:
333: /**
334: * Attach child config to peer config
335: */
336: static child_cfg_t* create_child_cfg(private_cmd_connection_t *this,
337: peer_cfg_t *peer_cfg)
338: {
339: child_cfg_t *child_cfg;
340: traffic_selector_t *ts;
341: proposal_t *proposal;
342: bool has_v4 = FALSE, has_v6 = FALSE;
343: child_cfg_create_t child = {
344: .lifetime = {
345: .time = {
346: .life = 10800 /* 3h */,
347: .rekey = 10200 /* 2h50min */,
348: .jitter = 300 /* 5min */
349: }
350: },
351: .mode = MODE_TUNNEL,
352: };
353:
354: child_cfg = child_cfg_create("cmd", &child);
355: if (this->child_proposals->get_count(this->child_proposals))
356: {
357: while (this->child_proposals->remove_first(this->child_proposals,
358: (void**)&proposal) == SUCCESS)
359: {
360: child_cfg->add_proposal(child_cfg, proposal);
361: }
362: }
363: else
364: {
1.1.1.2 ! misho 365: child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
1.1 misho 366: child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
367: }
368: while (this->local_ts->remove_first(this->local_ts, (void**)&ts) == SUCCESS)
369: {
370: child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
371: }
372: if (this->remote_ts->get_count(this->remote_ts) == 0)
373: {
374: /* add a 0.0.0.0/0 TS for remote side if none given */
375: ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
376: "0.0.0.0", 0, "255.255.255.255", 65535);
377: this->remote_ts->insert_last(this->remote_ts, ts);
378: has_v4 = TRUE;
379: }
380: while (this->remote_ts->remove_first(this->remote_ts,
381: (void**)&ts) == SUCCESS)
382: {
383: switch (ts->get_type(ts))
384: {
385: case TS_IPV4_ADDR_RANGE:
386: has_v4 = TRUE;
387: break;
388: case TS_IPV6_ADDR_RANGE:
389: has_v6 = TRUE;
390: break;
391: }
392: child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
393: }
394: if (has_v4)
395: {
396: peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
397: }
398: if (has_v6)
399: {
400: peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("::", 0));
401: }
402: peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
403:
404: return child_cfg;
405: }
406:
407: /**
408: * Initiate the configured connection
409: */
410: static job_requeue_t initiate(private_cmd_connection_t *this)
411: {
412: peer_cfg_t *peer_cfg;
413: child_cfg_t *child_cfg;
414: pid_t pid = this->pid;
415:
416: if (!this->host)
417: {
418: DBG1(DBG_CFG, "unable to initiate, missing --host option");
419: terminate(pid);
420: return JOB_REQUEUE_NONE;
421: }
422: if (!this->identity)
423: {
424: DBG1(DBG_CFG, "unable to initiate, missing --identity option");
425: terminate(pid);
426: return JOB_REQUEUE_NONE;
427: }
428:
429: peer_cfg = create_peer_cfg(this);
430:
431: if (!add_auth_cfgs(this, peer_cfg))
432: {
433: peer_cfg->destroy(peer_cfg);
434: terminate(pid);
435: return JOB_REQUEUE_NONE;
436: }
437:
438: child_cfg = create_child_cfg(this, peer_cfg);
439:
440: if (charon->controller->initiate(charon->controller, peer_cfg, child_cfg,
441: controller_cb_empty, NULL, 0, FALSE) != SUCCESS)
442: {
443: terminate(pid);
444: }
445: return JOB_REQUEUE_NONE;
446: }
447:
448: /**
449: * Create a traffic selector from string, add to list
450: */
451: static void add_ts(private_cmd_connection_t *this,
452: linked_list_t *list, char *string)
453: {
454: traffic_selector_t *ts;
455:
456: ts = traffic_selector_create_from_cidr(string, 0, 0, 65535);
457: if (!ts)
458: {
459: DBG1(DBG_CFG, "invalid traffic selector: %s", string);
460: exit(1);
461: }
462: list->insert_last(list, ts);
463: }
464:
465: /**
466: * Parse profile name identifier
467: */
468: static void set_profile(private_cmd_connection_t *this, char *name)
469: {
470: profile_t profile;
471:
472: if (!enum_from_name(profile_names, name, &profile))
473: {
474: DBG1(DBG_CFG, "unknown connection profile: %s", name);
475: exit(1);
476: }
477: this->profile = profile;
478: }
479:
480: METHOD(cmd_connection_t, handle, bool,
481: private_cmd_connection_t *this, cmd_option_type_t opt, char *arg)
482: {
483: proposal_t *proposal;
484:
485: switch (opt)
486: {
487: case CMD_OPT_HOST:
488: this->host = arg;
489: break;
490: case CMD_OPT_REMOTE_IDENTITY:
491: this->server = arg;
492: break;
493: case CMD_OPT_IDENTITY:
494: this->identity = arg;
495: break;
496: case CMD_OPT_EAP_IDENTITY:
497: case CMD_OPT_XAUTH_USER:
498: this->xautheap = arg;
499: break;
500: case CMD_OPT_RSA:
501: case CMD_OPT_AGENT:
502: case CMD_OPT_PKCS12:
503: this->key_seen = TRUE;
504: break;
505: case CMD_OPT_LOCAL_TS:
506: add_ts(this, this->local_ts, arg);
507: break;
508: case CMD_OPT_REMOTE_TS:
509: add_ts(this, this->remote_ts, arg);
510: break;
511: case CMD_OPT_IKE_PROPOSAL:
512: proposal = proposal_create_from_string(PROTO_IKE, arg);
513: if (!proposal)
514: {
515: exit(1);
516: }
517: this->ike_proposals->insert_last(this->ike_proposals, proposal);
518: break;
519: case CMD_OPT_ESP_PROPOSAL:
520: proposal = proposal_create_from_string(PROTO_ESP, arg);
521: if (!proposal)
522: {
523: exit(1);
524: }
525: this->child_proposals->insert_last(this->child_proposals, proposal);
526: break;
527: case CMD_OPT_AH_PROPOSAL:
528: proposal = proposal_create_from_string(PROTO_AH, arg);
529: if (!proposal)
530: {
531: exit(1);
532: }
533: this->child_proposals->insert_last(this->child_proposals, proposal);
534: break;
535: case CMD_OPT_PROFILE:
536: set_profile(this, arg);
537: break;
538: default:
539: return FALSE;
540: }
541: return TRUE;
542: }
543:
544: METHOD(cmd_connection_t, destroy, void,
545: private_cmd_connection_t *this)
546: {
547: this->ike_proposals->destroy_offset(this->ike_proposals,
548: offsetof(proposal_t, destroy));
549: this->child_proposals->destroy_offset(this->child_proposals,
550: offsetof(proposal_t, destroy));
551: this->local_ts->destroy_offset(this->local_ts,
552: offsetof(traffic_selector_t, destroy));
553: this->remote_ts->destroy_offset(this->remote_ts,
554: offsetof(traffic_selector_t, destroy));
555: free(this);
556: }
557:
558: /**
559: * See header
560: */
561: cmd_connection_t *cmd_connection_create()
562: {
563: private_cmd_connection_t *this;
564:
565: INIT(this,
566: .public = {
567: .handle = _handle,
568: .destroy = _destroy,
569: },
570: .pid = getpid(),
571: .local_ts = linked_list_create(),
572: .remote_ts = linked_list_create(),
573: .ike_proposals = linked_list_create(),
574: .child_proposals = linked_list_create(),
575: .profile = PROF_UNDEF,
576: );
577:
578: /* always include the virtual IP in traffic selector list */
579: this->local_ts->insert_last(this->local_ts,
580: traffic_selector_create_dynamic(0, 0, 65535));
581:
582: /* queue job, gets initiated as soon as we are up and running */
583: lib->processor->queue_job(lib->processor,
584: (job_t*)callback_job_create_with_prio(
585: (callback_job_cb_t)initiate, this, NULL,
586: (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
587:
588: return &this->public;
589: }